Moonpig is a well-known greeting card company in the UK. You can use their services to send personalized greeting cards to your friends and family. [Paul] decided to do some digging around and discovered a few security vulnerabilities between the Moonpig Android app and their API.
First of all, [Paul] noticed that the system was using basic authentication. This is not ideal, but the company was at least using SSL encryption to protect the customer credentials. After decoding the authentication header, [Paul] noticed something strange. The username and password being sent with each request were not his own credentials. His customer ID was there, but the actual credentials were wrong.
[Paul] created a new account and found that the credentials were the same. By modifying the customer ID in the HTTP request of his second account, he was able to trick the website into spitting out all of the saved address information of his first account. This meant that there was essentially no authentication at all. Any user could impersonate another user. Pulling address information may not sound like a big deal, but [Paul] claims that every API request was like this. This meant that you could go as far as placing orders under other customer accounts without their consent.
[Paul] used Moonpig’s API help files to locate more interesting methods. One that stood out to him was the GetCreditCardDetails method. [Paul] gave it a shot, and sure enough the system dumped out credit card details including the last four digits of the card, expiration date, and the name associated with the card. It may not be full card numbers but this is still obviously a pretty big problem that would be fixed immediately… right?
[Paul] disclosed the vulnerability responsibly to Moonpig in August 2013. Moonpig responded by saying the problem was due to legacy code and it would be fixed promptly. A year later, [Paul] followed up with Moonpig. He was told it should be resolved before Christmas. On January 5, 2015, the vulnerability was still not resolved. [Paul] decided that enough was enough, and he might as well just publish his findings online to help press the issue. It seems to have worked. Moonpig has since disabled its API and released a statement via Twitter claiming that, “all password and payment information is and has always been safe”. That’s great and all, but it would mean a bit more if the passwords actually mattered.
If you’re looking for a last-minute Christmas present, you probably won’t have enough time to reproduce [Helmar’s] candle-powered Christmas card. He’s been working on it for a few years now, since his first prototype in 2010. Though he pieced together the original card with parts lying around his workshop, the most recent iteration looks like it belongs on the shelf in a store.
We last saw [Helmar’s] work two years ago, when he shared his Full Color Laser TV. This project is a bit more compact: the circuitry was printed with conductive ink on the cardstock, and all the required components are held together by conductive adhesive. To power the electronics, he decided against a battery and instead chose to embed a solar cell on the inside of the card. Placing a lit candle inside the open card provides enough juice for the exterior of the card to shine.
You can see a video of both the current and prototype versions of [Helmar’s] cards after the break.
Continue reading “CartoLucci: A Candle-Powered Christmas Card”
[Monirul Pathan] decided to make the card as unique as this gift when getting ready for a birthday. He designed and built his own musical card with LED edge-lit acrylic to display the message.
The electronic design seeks to keep things as flat as possible. The card-shaped acrylic panel has a void to fit the PCB exactly, and the components are relatively flat. One thing we found quite interesting is that the ATtiny85 which drives the device is surface mounted, but it is not a surface mount component. The layout includes though-hole pads, but instead of drilling holes [Monirul] clipped off the excess of the DIP legs and soldered the remainder directly to the copper. We suppose this isn’t going to get a lot of use so it just needs to hold together for one day.
As you can see in the video after the break, the speaker plays ‘Happy Birthday’ followed by ‘Under the Sea’. At the same time, four blue LEDs pulse to the music, lighting up the words that are engraved in the plastic.
Continue reading “Edge-lit musical birthday card”
If you’re forever alone we’d guess you’ve long since stopped crying about it. But if you’re still prone to shed a tear on a dateless Valentine’s day this project’s for you. [Mikeasaurus] spruced up this pillow to play a tune when it senses your lonely soul. It’s got a moisture sensor which triggers an audio greeting card just when your weeping really starts to get soggy.
If you look closely at the top portion of the white fabric in the picture you can see there are rows of stitching. These hold a matrix of conductive wire mesh fabric on the inside of the pillow case. There are two buses made up of alternating rows (think of the tines of two forks pointed together) which make up the probes. When the gap is bridged by moisture a transistor circuit triggers the audio bits from a greeting card to play a song. Check out the demo after the break. We’re not satisfied that [Mikeasaurs’] couldn’t even bring himself to cry real tears for the clip, but maybe years of solder fumes have clogged up those tear ducts.
Continue reading “Tears from your lonely heart will activate a comforting tune”
We’re all familiar with those musical greeting cards. Give the Hallmark store $10, and you have a card with a microcontroller inside that plays one of several songs available. [Jarv] was playing around with translating MIDI tracks to square wave songs with an Arduino earlier, so he decided to see how cheaply he could reproduce these musical cards. The resulting build allows him to put any song he wants in his card and costs less than the Hallmark offering.
The circuit is extremely minimal – just an ATtiny 85, a battery holder, and two piezo speakers for two-voice harmony. After soldering up the battery and speakers, [Jarv] needed a way to get music on his chip. For this, he used MuseScore, a music notation program that allows [Jarv] to merge multiple voices together.
Once the sheet music was cleaned up, [Jarv] used his XML2H Python script that takes MIDI data and spits out frequencies and delays. In the end, [Jarv] spent less than $5 on his greeting card – almost cheap enough to start thinking about musical throwies to complement the batteries, LEDs and magnets on our window flashing.
Check out the video after the break to hear [Jarv]’s circuit play the theme from Toy Story.
Continue reading “Musical greeting card with minimal parts”
Creativity abounds in putting together this pair of Super Mario Bros. costumes. [Rob] and his wife didn’t stop with a well-assembled troupe of familiar wardrobe items, but decided to go for authentic sound effects as well. It started by finding a few of his favorite Mario sounds on the Internet. From there he grabbed a greeting card that allows you to record several message. He recorded each of the sounds and removed the electronics from the card. From there an Arduino mini was connected to the playback buttons and to a Wii nunchuck. After the break you can see that when the kids press a button, the card plays back the sound of jumping, shooting fireballs, etc. So far it’s the best use of an audio greeting card that we think eclipses its intended use.
Continue reading “Halloween Prop: Mario Bros. with full sound effects”
Got 30 minutes for a holiday project and don’t want to get wrangled into some sort of decoupage disaster? Evil Mad Scientist Laboratories can show you just how easy it is to do edge lighting effects. Pictured above are three holiday cards constructed using scored plastic. You can use many different types of clear plastic for this, not just acrylic. The lighting is just an LED on a coincell. Black tape is used to prevent light leaking from the edges. The red and green version above is two stacked layers. This looks like something fun to scale up for a larger project or just to kill some time.